package authorizer

import (
	"context"

	"github.com/influxdata/influxdb"
)

var _ influxdb.DashboardService = (*DashboardService)(nil)

// DashboardService wraps a influxdb.DashboardService and authorizes actions
// against it appropriately.
type DashboardService struct {
	s influxdb.DashboardService
}

// NewDashboardService constructs an instance of an authorizing dashboard serivce.
func NewDashboardService(s influxdb.DashboardService) *DashboardService {
	return &DashboardService{
		s: s,
	}
}

func newDashboardPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
	return influxdb.NewPermissionAtID(id, a, influxdb.DashboardsResourceType, orgID)
}

func authorizeReadDashboard(ctx context.Context, orgID, id influxdb.ID) error {
	p, err := newDashboardPermission(influxdb.ReadAction, orgID, id)
	if err != nil {
		return err
	}

	if err := IsAllowed(ctx, *p); err != nil {
		return err
	}

	return nil
}

func authorizeWriteDashboard(ctx context.Context, orgID, id influxdb.ID) error {
	p, err := newDashboardPermission(influxdb.WriteAction, orgID, id)
	if err != nil {
		return err
	}

	if err := IsAllowed(ctx, *p); err != nil {
		return err
	}

	return nil
}

// FindDashboardByID checks to see if the authorizer on context has read access to the id provided.
func (s *DashboardService) FindDashboardByID(ctx context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
	b, err := s.s.FindDashboardByID(ctx, id)
	if err != nil {
		return nil, err
	}

	if err := authorizeReadDashboard(ctx, b.OrganizationID, id); err != nil {
		return nil, err
	}

	return b, nil
}

// FindDashboards retrieves all dashboards that match the provided filter and then filters the list down to only the resources that are authorized.
func (s *DashboardService) FindDashboards(ctx context.Context, filter influxdb.DashboardFilter, opt influxdb.FindOptions) ([]*influxdb.Dashboard, int, error) {
	// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
	// will likely be expensive.
	bs, _, err := s.s.FindDashboards(ctx, filter, opt)
	if err != nil {
		return nil, 0, err
	}

	// This filters without allocating
	// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
	dashboards := bs[:0]
	for _, b := range bs {
		err := authorizeReadDashboard(ctx, b.OrganizationID, b.ID)
		if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
			return nil, 0, err
		}

		if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
			continue
		}

		dashboards = append(dashboards, b)
	}

	return dashboards, len(dashboards), nil
}

// CreateDashboard checks to see if the authorizer on context has write access to the global dashboards resource.
func (s *DashboardService) CreateDashboard(ctx context.Context, b *influxdb.Dashboard) error {
	p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.DashboardsResourceType, b.OrganizationID)
	if err != nil {
		return err
	}

	if err := IsAllowed(ctx, *p); err != nil {
		return err
	}

	return s.s.CreateDashboard(ctx, b)
}

// UpdateDashboard checks to see if the authorizer on context has write access to the dashboard provided.
func (s *DashboardService) UpdateDashboard(ctx context.Context, id influxdb.ID, upd influxdb.DashboardUpdate) (*influxdb.Dashboard, error) {
	b, err := s.s.FindDashboardByID(ctx, id)
	if err != nil {
		return nil, err
	}

	if err := authorizeWriteDashboard(ctx, b.OrganizationID, id); err != nil {
		return nil, err
	}

	return s.s.UpdateDashboard(ctx, id, upd)
}

// DeleteDashboard checks to see if the authorizer on context has write access to the dashboard provided.
func (s *DashboardService) DeleteDashboard(ctx context.Context, id influxdb.ID) error {
	b, err := s.s.FindDashboardByID(ctx, id)
	if err != nil {
		return err
	}

	if err := authorizeWriteDashboard(ctx, b.OrganizationID, id); err != nil {
		return err
	}

	return s.s.DeleteDashboard(ctx, id)
}

func (s *DashboardService) AddDashboardCell(ctx context.Context, id influxdb.ID, c *influxdb.Cell, opts influxdb.AddDashboardCellOptions) error {
	b, err := s.s.FindDashboardByID(ctx, id)
	if err != nil {
		return err
	}

	if err := authorizeWriteDashboard(ctx, b.OrganizationID, id); err != nil {
		return err
	}

	return s.s.AddDashboardCell(ctx, id, c, opts)
}

func (s *DashboardService) RemoveDashboardCell(ctx context.Context, dashboardID influxdb.ID, cellID influxdb.ID) error {
	b, err := s.s.FindDashboardByID(ctx, dashboardID)
	if err != nil {
		return err
	}

	if err := authorizeWriteDashboard(ctx, b.OrganizationID, dashboardID); err != nil {
		return err
	}

	return s.s.RemoveDashboardCell(ctx, dashboardID, cellID)
}

func (s *DashboardService) UpdateDashboardCell(ctx context.Context, dashboardID influxdb.ID, cellID influxdb.ID, upd influxdb.CellUpdate) (*influxdb.Cell, error) {
	b, err := s.s.FindDashboardByID(ctx, dashboardID)
	if err != nil {
		return nil, err
	}

	if err := authorizeWriteDashboard(ctx, b.OrganizationID, dashboardID); err != nil {
		return nil, err
	}

	return s.s.UpdateDashboardCell(ctx, dashboardID, cellID, upd)
}

func (s *DashboardService) GetDashboardCellView(ctx context.Context, dashboardID influxdb.ID, cellID influxdb.ID) (*influxdb.View, error) {
	b, err := s.s.FindDashboardByID(ctx, dashboardID)
	if err != nil {
		return nil, err
	}

	if err := authorizeReadDashboard(ctx, b.OrganizationID, dashboardID); err != nil {
		return nil, err
	}

	return s.s.GetDashboardCellView(ctx, dashboardID, cellID)
}

func (s *DashboardService) UpdateDashboardCellView(ctx context.Context, dashboardID influxdb.ID, cellID influxdb.ID, upd influxdb.ViewUpdate) (*influxdb.View, error) {
	b, err := s.s.FindDashboardByID(ctx, dashboardID)
	if err != nil {
		return nil, err
	}

	if err := authorizeWriteDashboard(ctx, b.OrganizationID, dashboardID); err != nil {
		return nil, err
	}

	return s.s.UpdateDashboardCellView(ctx, dashboardID, cellID, upd)
}

func (s *DashboardService) ReplaceDashboardCells(ctx context.Context, id influxdb.ID, c []*influxdb.Cell) error {
	b, err := s.s.FindDashboardByID(ctx, id)
	if err != nil {
		return err
	}

	if err := authorizeWriteDashboard(ctx, b.OrganizationID, id); err != nil {
		return err
	}

	return s.s.ReplaceDashboardCells(ctx, id, c)
}
